Mailing List Archive

User authentication with key-file and gpg-agent
Hi!

Now that my initrd-script is ready and provides me with the means to
encrypt partitions with a gpg-encrypted key-file [1], I'd like to use
the very same file for user authentication.

It would be even better if gpg-agent could get it right from the user
authentication (pam) to use it for as many services as possible, ssh,
gpg, gnome-keyring (?), sudo (?), password database.

I think what I really want is something like a poor man's version of
smartcard authentication.

Could you please give me some hints? I'd be pleased to hear any
comments, criticism and recommendations on that issue.

Thanks in advance!

Florian Philipp

[1] basically 1k of random data, encrypted with 3DES by gpg
Re: User authentication with key-file and gpg-agent [ In reply to ]
Florian Philipp wrote:
> Hi!
>
> Now that my initrd-script is ready and provides me with the means to
> encrypt partitions with a gpg-encrypted key-file [1], I'd like to use
> the very same file for user authentication.
>
> It would be even better if gpg-agent could get it right from the user
> authentication (pam) to use it for as many services as possible, ssh,
> gpg, gnome-keyring (?), sudo (?), password database.
>
> I think what I really want is something like a poor man's version of
> smartcard authentication.
>
> Could you please give me some hints? I'd be pleased to hear any
> comments, criticism and recommendations on that issue.
>
> Thanks in advance!
>
> Florian Philipp
>
> [1] basically 1k of random data, encrypted with 3DES by gpg

emerge pam_usb

The latest version of pam_usb uses the usb serial number of the drive,
the older one uses an encrypted key in a hidden directory and can be
used with more than just a usb key (basically any mountable device would
work).

I would also recommend checking out how to make your own custom rules in
udev. This can let you auto-mount the device on connect, or run a
command on connect, etc..

Between the two you should be able to make a good auth function. If you
know any C/C++ you could combine the two into a custom setup (e.g. using
the contents of a file on the key, decrypted via the serial number to
get your gpg data..., or use your imagination.)

Good luck,
Chris Frederick
--
gentoo-security@lists.gentoo.org mailing list